Nltest

Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813). To use nltest, you must run the nltest command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Test trust relationships and the state of domain controller replication in a Windows domain

Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

Nltest can test and reset the secure channel that the NetLogon service establishes between clients and the domain controller that logs them on. Clients using Kerberos authentication cannot use this secure channel.

A discrete communication channel, known as the secure channel, exists between trusted domains in a Windows NT 4.0 environment and parent domains and their immediate children in an Active Directory environment. In a Windows NT 4.0 environment, nltest uses these channels to authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication.

Nltest provides diagnostic features that you can use for troubleshooting Windows Server 2008 operating system configurations. However, because nltest is designed primarily for system administrators and support personnel, its output may be difficult to analyze. In this case, you can review the appropriate troubleshooting sections in the Windows Deployment and Resource Kits. Search for any of the keywords from the bulleted list in the nltest description above.

Reports on the state of the secure channel the last time you used it. (The secure channel is the one that the NetLogon service established.)

/repl

Forces synchronization with the primary domain controller (PDC). Nltest synchronizes only changes that are not yet replicated to the backup domain controller (BDC). You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.

/sync

Forces an immediate synchronization with the PDC of the entire Security Accounts Manager (SAM) database. You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.

/pdc_repl

Forces the PDC to send a synchronization notification to all BDCs. You can use this parameter for Windows NT 4.0 PDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.

/sc_query: <DomainName>

Reports on the state of the secure channel the last time that you used it. (The secure channel is the one that the NetLogon service established.) This parameter lists the name of the domain controller that you queried on the secure channel, also.

/sc_reset:[ <DomainName>]

Removes, and then rebuilds, the secure channel that the NetLogon service established. You must have administrative credentials to use this parameter.

/sc_verify:[ <DomainName>]

Checks the status of the secure channel that the NetLogon service established. If the secure channel does not work, this parameter removes the existing channel, and then builds a new one. You must have administrative credentials to use this parameter. This parameter is only valid on domain controllers that run Windows 2000 with Service Pack 2 and later.

/sc_change_pwd:[ <DomainName>]

Changes the password for the trust account of a domain that you specify. If you run nltest on a domain controller, and an explicit trust relationship exists, then nltest resets the password for the interdomain trust account. Otherwise, nltest changes the computer account password for the domain that you specify. You can use this parameter only for computers that are running Windows 2000 and later.

/dclist:[ <DomainName>]

Lists all domain controllers in the domain. In a Windows NT 4.0 domain environment, this parameter uses the Browser service to retrieve the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain controllers. If this query is unsuccessful, nltest then uses the Browser service.

/dcname:[ <DomainName>]

Lists the primary domain controller or the PDC emulator for DomainName.

/dsgetdc:[ <DomainName>]

Queries the Domain Name System (DNS) server for a list of domain controllers and their corresponding IP addresses. This parameter also contacts each domain controller to check for connectivity.

The following list shows the values that you can use to filter the list of domain controllers or specify alternate names types in the syntax.

/PDC: Returns only the PDC (Windows NT 4.0) or domain controller that you designate as the PDC emulator (Windows 2000 and later).

/DS: Returns only those domain controllers that are Windows 2000 and later.

/DSP: Returns only Windows 2000 and later domain controllers. If the query finds no such server, then this value returns Windows NT 4.0 domain controllers.

/GC: Returns only those domain controllers that you designate as global catalog servers.

/KDC: Returns only those domain controllers that you designate as Kerberos key distribution centers.

/TIMESERV: Returns only those domain controllers that you designate as time servers.

/GTTIMESERV: Returns only those domain controllers that you designate as master time servers.

/NetBIOS: Specifies computer names in the syntax as NetBIOS names. If you do not specify a return format, the domain controller can return either NetBIOS or DNS format.

/DNS: Specifies computer names in the syntax as fully qualified domain names (FQDNs). If you do not specify a return format, the domain controller can return either NetBIOS or DNS format.

/IP: Returns only domain controllers that have IP addresses. This value returns only domain controllers that use TCP/IP as their protocol stacks.

/FORCE: Forces the computer to run the command against the DNS server instead of looking in the cache for the information.

/dnsgetdc: <DomainName>

Queries the DNS server for a list of domain controllers and their corresponding IP addresses.

The following list shows the values that you can use to filter the list of domain controllers.

/PDC: Returns only those domain controllers that are PDCs (Windows NT 4.0) or designated as PDC emulators.

/GC: Returns only those domain controllers that you designate as global catalogs.

/KDC: Returns only those domain controllers that you designate as Kerberos key distribution centers.

/WRITABLE: Returns only those domain controllers that can accept changes to the directory database. This value returns all Active Directory domain controllers, but not Windows NT 4.0 BDCs.

/LDAPONLY: Returns servers that are running a Lightweight Directory Access Protocol (LDAP) application. The servers can include LDAP servers that are not domain controllers.

/FORCE: Forces the computer to run the command against the DNS server instead of looking in cache for the information.

/SITESitename: Sorts the returned records to list first the records that pertain to the site that you specify.

/SITESPEC: Filters the returned records to display only those records that pertain to the site that you specify. This operation can only be used with the /SITE parameter.

/dsgetfti: <DomainName>[ /UpdateTDO]

Returns information about interforest trusts. You use this parameter only for a Windows Server 2008 domain controller that is in the root of the forest. If no interforest trusts exist, this parameter returns an error.

The /UpdateTDO value updates the locally stored information on the interforest trust.

/dsgetsite

Returns the name of the site in which the domain controller resides.

/dsgetsitecov

Returns the name of the site that the domain controller covers. A domain controller can cover a site that has no local domain controller of its own.

/parentdomain

Returns the name of the parent domain of the server.

/dsregdns

Refreshes the registration of all DNS records that are specific to a domain controller that you specify.

/dsderegdns: <DnsHostName>

Deregisters DNS host records for the host that you specify in the DnsHostName parameter.

The following list shows the values that you can use to specify which records nltest deregisters.

/DOM: Specifies a DNS domain name for the host to use when you search for records on the DNS server. If you do not specify this value, nltest uses the DNS domain name as the suffix of the DnsHostName parameter.

/DSAGUID: Deletes Directory System Agent (DSA) records that are based on a GUID.

DOMGUID: Deletes DNS records that are based on a globally unique identifier (GUID).

/whowill: <Domain>/ <User>

Finds the domain controller that has the user account that you specify. You can use this parameter to determine whether nltest has replicated the account information to other domain controllers.

/finduser: <User>

Finds the directly-trusted domain that the user account that you specify belongs to. You can use this parameter to troubleshoot logon issues of older client operating systems.

/transport_notify

Flushes the negative cache to force the discovery of a domain controller. You can use this parameter for Windows NT 4.0 domain controllers only. This operation is done automatically when clients log on to Windows 2000 and Windows Server 2003 domain controllers.

/dbflag: <HexadecimalFlags>

Sets a new debug flag. For most purposes, use 0x2000FFFF as the value for HexadecimalFlags. The entry in the Windows Server 2003 registry for debug flags is HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DBFlag.

/user: <UserName>

Displays many of the attributes that you maintain in the SAM account database for the user that you specify. You cannot use this parameter for user accounts that are stored in an Active Directory database.

/time: <HexadecimalLSL> <HexadecimalMSL>

Converts Windows NT Greenwich Mean Time (GMT) time to ASCII. HexadecimalLSL is a hexadecimal value for least significant longword. HexadecimalMSL is a hexadecimal value for most significant longword.

/logon_query

Queries the cumulative number of NTLM logon attempts at a console or over a network.

The following list shows the values that you can use to filter the list of domains.

/Primary: Returns only the domain to which the computer account belongs.

/Forest: Returns only those domains that are in the same forest as the primary domain.

/Direct_Out: Returns only the domains that are explicitly trusted with the primary domain.

/Direct_In: Returns only the domains that explicitly trust the primary domain.

/All_Trusts: Returns all trusted domains.

/v: Displays verbose output, including any domain SIDs and GUIDs that are available.

/dsquerydns

Queries for the status of the last update for all DNS records that are specific to a domain controller that you specify.

/bdc_query: <DomainName>

Queries for a list of BDCs in DomainName, and then displays their state of synchronization and replication status. You can use this parameter only for Windows NT 4.0 domain controllers.

/sim_sync: <DomainName> <ServerName>

Simulates full synchronization replication. This is a useful parameter for test environments.

/list_deltas: <FileName>

Displays the contents of the FileName change log file, which lists changes to the user account database. Netlogon.chg is the default name for this log file, which resides only on Windows NT 4.0 BDCs.

/cdigest: <Message> /domain: <DomainName>

Displays the current digest that the client uses for the secure channel. (The digest is the calculation that nltest derives from the password.) This parameter displays the digest that is based on the previous password, also. Nltest uses the secure channel for logons between client computers and a domain controller, or for directory service replication between domain controllers. You can use this parameter in conjunction with the /sdigest parameter to check the synchronization of trust account passwords.

/sdigest: <Message> /rid: <RID_In_Hexadecimal>

Displays the current digest that the server uses for the secure channel. (The digest is the calculation that nltest derives from the password.) This parameter displays the digest for the previous password, also. If the digest from the server matches the digest from the client, then nltest synchronizes the passwords that it uses for the secure channel. If the digests do not match, then nltest might not have replicated the password change yet.

/shutdown: <Reason>[ <Seconds>]

Remotely shuts down the server that you specify in ServerName. You use a string to specify the reason for the shutdown in the Reason value., and you use an integer to specify the amount of time before the shutdown occurs in the Seconds value. For a complete description, see the Platform SDK documentation for InitiateSystemShutdown.

The DNS_DC and DNS_DOMAIN flags indicate the format of the information returned in the request (as opposed to a flag like GC or TIMESERV, which tell you something about the domain controller returning the information). Specifically, the presence of them indicates the returned domain controller name and domain name, respectively, were in DNS format. The absence of them indicates the returned domain controller name and domain name were in NetBIOS format.

Example 4: Determine the PDC emulator for a domain

The following example identifies the domain controller that Windows NT 4.0–based computers see as the PDC emulator for a domain.